A new report released by Shape Security yesterday details how the Sentry MBA tool makes credential stuffing attacks more widely available to cybercriminals.
The traditional "brute force" method of breaking into a user account requires the attacker to try numerous combinations of login ID and password. It's a difficult, time-consuming process. Plus, defending organizations have learned to stop these kinds of attacks by blocking multiple attempts to log into the same account, or multiple login attempts from the same IP address.
A credential stuffing attack increases the attackers success rate and reduces the time it takes to break into accounts by using stolen lists of working login IDs and passwords from other sites, since many people use the same email addresses and passwords as their credentials in multiple locations.
Since the attack go after a different user name with each new attempt, no one account sees a suspicious number of failed logins.
"You have all of these technologies that companies have deployed to try to protect against different forms of attack," said Shuman Ghosemajumder, vice president of product management at Shape Security. "The idea behind all of them is to try to identify patterns in IP address, and the problem is that attackers are now using botnets to bypass those defenses."
According to Shape Security, an average of 1 to 2 percent of stolen credentials from one site will work on a second site, meaning that a list of a million credentials will result in 10,000 hijacked accounts.
To bypass systems that look for multiple attacks from a single IP address, attackers use botnets to make it seem like the login attempts are all coming from different, and normally law-abiding computers.
"If they were coming from the same computer, it would be very obvious to defend against," said Sumit Agarwal, Shape Security's co-founder and vice president of strategy. "If they all came from a country where i don't even do business, that would be easy to defend. But the attack traffic comes during regular business hours, domestic to the country where you do business in, from unwittingly compromised machines belonging to real users."
Finally, to get around CAPTCHA challenges, attackers use optical character recognition.
According to Ghosemajumder, every single CAPTCHA-type system has been shown to be vulnerable to optical character recognition attacks for the past several years.
"Anyone who's using a CAPTCHA to try to keep automation at bay is not even introducing a significant road block," he said.
Putting all these pieces together into a targeted attack against a particular organization is not a simple task for a would-be attacker. Building a botnet, stealing credentials from another site, bypassing CAPTCHAs and other security mechanisms are all difficult tasks. Or they used to be.
With Sentry MBA, criminals buy an off-the-shelf, ready-to-go solution and pair it with a list of stolen credentials. Hundreds of millions of stolen credentials are already available for sale on underground forums, a result of the recent wave of breaches.
Sentry MBA comes with a graphical user interface that makes it possible for a criminal with very basic skills to create a very sophisticated attack, said Agarwal.
"These are not brute force attacks," said Agarwal. "These are tailored attacks that simulate human behavior."
In particular, attacks are custom designed for each website individually. Working configurations for various websites are available in the criminal forums, and they specify in detail the location of the login pages and individual form fields, plus the rules for valid password construction and other details that make it possible for Sentry MBA to log into the site.
Finally, attackers can customize their attacks further. For example, to recognize keywords that indicate successful or failed login attempts.
One potential sign that a credential attack is ongoing is that login failure rates suddenly go up dramatically.
At that point, if defenders spot the attack early, they can turn on across-the-board second factor authentication, or swap out the login page for one that hasn't been seen before.
Shape Security, in fact, is in the business of doing the latter -- creating multiple login pages on the fly that look the same to human users and browsers for the disabled, but different to automated tools that read the underlying code to find form elements.